From owner-freebsd-bugs@freebsd.org Mon Nov 20 13:50:49 2017 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 79C1ADEC1FB for ; Mon, 20 Nov 2017 13:50:49 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 67BAF7EC84 for ; Mon, 20 Nov 2017 13:50:49 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id vAKDonfB023721 for ; Mon, 20 Nov 2017 13:50:49 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 223767] tun device allows modification of if_type to any value causing a page fault and panic Date: Mon, 20 Nov 2017 13:50:49 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.4-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: jau@iki.fi X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Nov 2017 13:50:49 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D223767 Bug ID: 223767 Summary: tun device allows modification of if_type to any value causing a page fault and panic Product: Base System Version: 10.4-STABLE Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: jau@iki.fi Created attachment 188137 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D188137&action= =3Dedit A patch to check that if_type will be set only to a supported value. For the time being there is only one such value IFT_PPP. The tun device allows setting if_type to any random value, though, it does not reserve appropriate memory structures for anything else but IFT_PPP. When the it_type field gets modified the system later on reasonably assumes the appropriate data structures must be there as well. The lack of suitable data structures will result in pretty much any operation on the device caus= ing a certain panic() with a complaint about "a page fault in kernel mode". In case root allows others to open /dev/tun# (chmod g+rw /dev/tun#) this might become a locally triggered DoS allowing some local users to panic the system at will. They only need to set if_type to e.g. IFT_ETHER and let the program exit. During the post exit cleanup the system will try to close the file descriptor bound to the device which will trip the kernel to accessing on-existent Ethernet related data structures causing "a page fault in kernel mode". Apply the attached patch to add a check that the if_type field will be set only to a supported value. For the time being there is only one such value IFT_PPP. In addition to adding a check for the new if_type value the attached patch also simplifies the check for readable data in the tunpoll() function. --=20 You are receiving this mail because: You are the assignee for the bug.=